“Privacy by Design” in the Smart Grid

Working with students at UC Berkeley’s Samuelson Law, Technology, and Public Policy Clinic, CDT submitted comments to the National Institute of Standards and Technology (NIST) calling for the implementation of strong privacy principles in NIST’s effort to coordinate the development of standards for the modernized and interconnected “smart” electricity grid.

The Smart Grid promises great benefits to consumers and the environment. At the same time, it presents new risks to privacy in its enhanced collection and use of highly granular consumption data—such as near real-time energy use data and individual appliance usage data—which reveal intimate details about activities within the home. Data likely to be collected via Smart Grid technologies can reveal when a family is home or away, when family members are engaged in activities such as cooking or sleeping, and when appliances such as medical devices or home spas are in use—in short, a picture of intimate home life.

Activities within the home have long enjoyed particular protection in United States tradition and law. However, the Smart Grid can take information about home life outside of the home and outside of traditional purview of these longstanding protections. The entrance of new entities and technologies delivering energy services, the speed at which this new infrastructure is being deployed, and the lack of clear governing rules add further urgency to the need to address the privacy risks to consumers created by the Smart Grid.

Fortunately, creating privacy-protective systems and technologies for the Smart Grid should not require a tradeoff with functionality—what it will require is thoughtful design. NIST is especially well placed to encourage the development of standards that both fulfill the promise of the Smart Grid and protect privacy. In adopting a “privacy by design” approach, rather than attempting to tack on privacy at a later point, NIST can support the most effective means of protecting consumer privacy in the Smart Grid, and provide needed guidance to state regulators and industry players.

As such, CDT’s comments propose a specific framework for designing privacy into the Smart Grid, based on a comprehensive set of Fair Information Practice Principles (“FIPs”), that describe who should be covered, what types of data should be protected, and how a FIPs-based framework can ensure meaningful protections for consumers’ household energy data. CDT urges NIST to evaluate all of the technical standards identified for implementation in the Smart Grid against these principles, and to make recommendations regarding standards based upon these principles.

Developing effective privacy protections for the Smart Grid must be grounded in a thorough examination of how the proposed technologies will affect consumer privacy interests. To this end, CDT also urges NIST to develop a rigorous set of use cases that can inform standards bodies and the design of new Smart Grid technologies. NIST should recommend standards that make the grid greener, more efficient, more secure—and that protect privacy.